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5. VVER safety systems 


In the last part of the course, VVER safety systems are discussed. The terminal train- 
ing objectives are: 1) to list the safety systems used to carry out functions for design 
basis (DBC) and design extension (DEC-A) conditions, 2) to list the NPP with VVER 
1200 safety systems. The corresponding enabling training objectives are: 


m to familiarize trainees with The following topics are covered in this part of the course: 
the basic requirements and 


nuclear safety approaches 1. safety fundamentals for NPPs: main aspects relevant to safety of 
implementation in the Modern NPPs and responsibility; 

Russian designed NPP with 

VVER 1200 power reactor; 2. design and safety functions: legal acts and requirements for safety, 


; ; from the top level down to safety systems of NPPs; 
m to describe the defence-in- 


depth concept implementation 3. detailed description of VVER safety systems based on basic safety 
for the NPP with VVER 1200; functions for NPPs: 

m to list the VVER safety a. reactivity control; 
systems; 


b. heat removal from nuclear fuel; 
m to describe the principles of ee N 
NPP with VVER. 
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5.1. Safety fundamentals for NPPs 


Firstly, the term safety should be defined. It is a very 
complicated concept and in different languages it can 
be defined in different ways. Here is the definition from 
Wikipedia: 


I. Safety is the state of being «safe>> (from French ‘sauf’), 
the condition of being protected from harm or other non- 
desirable outcomes. Safety can also refer to the control of 
recognized hazards in order to achieve an acceptable level 
of risk. [Wikipedia] 


This is safety in general, a fundamental explanation of 
safety. In this course, safety particular to NPPs, especially 
to VVER technology, should be considered. As defined by 
the International Atomic Energy Agency (IAEA): 


II. Safety means the protection of people and the environment 
against radiation risks, and the safety of facilities and activities 
that give rise to radiation risks. “Safety” as used here and 
in the IAEA safety standards includes the safety of nuclear 
installations, radiation safety, the safety of radioactive waste 
management and safety in the transport of radioactive 
material; it does not include non-radiation-related aspects 
of safety. [IAEA] 


And specifically nuclear safety: 


m GEESE The achievement of proper operating 
conditions, prevention of accidents or mitigation of 


accident consequences, resulting in protection of workers, 
the public and the environment from undue radiation 
hazards. [IAEA] 
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To consider safety from different points of view, 
here are definitions from the Oxford dictionary and 
the Rosatom site: 


IV. Safety — the condition of being protected from or 
unlikely to cause danger, risk, or injury. [Oxford 
dictionary] 


V. Safety is a property of nuclear power plants to provide 
reliable protection of personnel, the public and 
the environment from the unacceptable radiation 
exposure in accordance with federal norms and rules 
in the use of atomic energy. [www.rosatom.ru] 


The last one is a direct interpretation of the Russian 
legislation requirements, Russian federal norms and 
rules. What is safety in your county? Consider how safety 
for NPPs can be defined in your country. For example, 
here is an explanation from the Finnish Nuclear Energy 
Act: 


VI. Safety — the use of nuclear energy must be safe; it 
shall not cause injury to people, or damage to the 
environment or property. [Finland, Nuclear Energy 
Act 11.12.1987/990. Section 6 — Safety] 


Generally, safety means protection of people and 
environment from nuclear energy, unacceptable 
risk, and damage. If there are levels of protection, the 
first should be protection of people and the second— 


protection of environment. 
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Major industrial disasters 


In this section, several major industrial 
disasters which have happened in human 
historyare discussed. Mostpeopleare probably 
familiar with the Three Mile Island accident, 
or Chernobyl and Fukushima disasters. 
Today everyone has heard something 
about the Fukushima disaster and can say 
something about the explosion, tsunami, and 
earthquake. But as the experience in reading 
these safety lectures shows, less than 10% 
of trainees know anything about the Bhopal 
accident. Coming back to the last definition 


of safety in the previous section: safety is 
Eee ee of people. NO people) 


In terms of this understanding of safety, the 
damages of this disaster were not so high. In 
the Bhopal disaster at least 3,787 people died. 





Figure 5.1.1. Bhopal, India, 1984. Deaths: at least 3,787; over 16,000 
claimed. Non-fatal injuries: at least 558,125. An accident at the pesticide 
plant in Bhopal, India, released at least 30 tons of a highly toxic gas. The 

plant was surrounded by shanty towns, leading to more than 600,000 people 

being exposed to the deadly gas cloud that night. 

For a global perspective, different accidents 

need to be compared from two points of 

view: one aspect is the economic losses, and 

the other—how many people have died. As 

illustrated in Figure 5.1.2, Fukushima costed 

about 160 billion euros in today’s prices. The 

Bhopal accident costed roughly 0.5 billion 

euros and 4,000 human deaths. This shows 

that not all results of accidents are always 

taken into account. Sometimes it is possible 

to spend money on safety without a clear 

understanding of what safety is. 
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Top 20 accidents with the highest total cost 


Pernis 
Romeoville 
Pampa 
Bintulu 
Alabama 
Tessaloniki 


LaMede 0 40 80 120 160 


Norco Cost in 2011 prices 

Bhopa M (billion Euros) 
Mina Al-Ahmadi 
Enchova Central 
Campos Basin 
Skikda 
Toulouse 
Chernobyl 
Pasadena 
| Three Miles island Es U U 


Piper Alpha 


Piper Alpha 


Gulf of Mexico 


Fukushima 






Place of Accident 


o 200 400 600 800 1000 1200 1400 
Cost in 2011 prices (million Euros) 
Figure 5.1.2. Costs of major industrial disasters. 


Previous experience of accidents and disasters and 
feasible allocation of money should always be considered 
for the safety arrangements in new NPPs. For this reason 






y 
as possible, but it should be reasonable. Which is why, 
for example, NPPs are built at the ground level. It is 
possible to dig a huge cave and put an NPP underground 
to cover and protect it from external hazards. This is a 
very good protection; it will also be extremely expensive. 
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Figure 5.1.3. Pasadena, USA, 1989. Devastating series of explosions 
and fire in Pasadena, US. The initial blast registered 3.5 on the Rich- 
ter scale, and the conflagration took 10 hours to bring under control. 
Twenty-three employees were killed and 314 injured. Source: www. 
ariquemesonline.com.br/noticia.asp?cod=302779&codDep=24. 


If the number of people who died as a result of NPP 
operation is taken into account, it is clear that the 
amount of money necessary to put NPP underground 
is unreasonable. Considering all years of experience in 
using nuclear power as an energy source, for medical 
purposes, and for scientific research, the total number of 
people who died because of nuclear radiation amounts to 
approximately 6,000. Compare this number with the fact 
that in Russia, 30-35,000 people die every year in road 
accidents. So it is 6,000 for about a century of nuclear 
industry versus 30-35,000 per year for road accidents. 
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Responsibility 


Who is responsible for the operation of NPPs? In some cases during 
the operation it is possible to have accidents. Someone needs to take 
responsibility for them, needs to spend money and conduct repairs. Full 
scope analysis and assessment of accidents show that the main mistake, 
the main failure can mostly be traced to manufacturers, designers, or 
scientific institutions. But every international legislation, all negotiations 
and all countries agree: full responsibility lies on the operato 
EE E is why 
the role of operator, the role of personnel, is to understand what safety is 
and how to ensure the highest possible and reasonable level of safety. NPPs 
are built for commercial use, to produce electricity, sell it to people, and to 


get money from this activity. Safety and economic efficiency both should be 
taken into account. Therefore 


plants sa cop ; ion under a to peat states an be a to rons 


report, and eliminate factors endangering safety. Personnel shall be given 
the opportunity to contribute to the continuous improvement of safety. 
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5.2. Design and safety functions 






Safety levels 
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Containment | of consequences 
of radioactivity 
release during 
Control a severe accident 
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Figure 5.2.1. Defense-in-depth: five successive levels of protection. 


The topic of this section is safety functions and safety implementation 
fundamentals for VVER. At the top level, a concept for ensuring safety should 
be identified. 
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Defense-in-depth is a philosophy 
to ensure nuclear safety 


"i wa 


Organizational and technical measures Physical barriers 


m Level 1. Prevention of abnormal operation and failures = Fuel matrix (pallets) 


m Level 2. Control of abnormal operation and detection of failures = Fuel rod cladding 


= 


= Level 3. Control of accidents = Reactor coolant system boundary 


= Containment 


New safety requirements 


a Level 4. Severe accident management Population 
= Level 5. Emergency planning ; and environment 
protection 


Figure 5.2.2. Defence-in-depth principle. 


For NPPs the defense-in-depth concept is realized in five 
successive levels of protection: 


the level of danger, and it should be difficult for 
accidents to happen. 


1. Prevention. The first level is the preliminary level: 


before commissioning an NPP, preliminary measures 
should be undertaken. For example, a good site should 
be chosen for the NPP, good legislation should be 
written for choosing the site. Further, the systems 
should be designed with a concept of conservatism, or 
homeostasis, in mind: if something happens at the NPP, 
every system should strive to return to safe and stable 
state. Imagine a ball in a pit—it is in stable position. 
If the ball is placed on top of sharp rock, the ball falls 
down and returns to stable state. This illustrates the 
inherent tendency towards the return to balance in the 
system: it should be physically impossible to increase 


The inherent Safety principle for VVER should already 
be familiar: if the temperature in the primary circuit 


is increased, the reactor tries to shut down the chain 
reaction to reduce the temperature. This is a negative 
reactivity effect discussed in section 2.4. For VVER 
plants it is obligatory to have all negative reactivity 
effects: the temperature of coolant reactivity effect, 
the pressure in the primary circuit reactivity effect, the 
power in the steam generator and the turbine reactivity 
effects. If the level of power is increased, nuclear 
reactor tries to shut down; the relation between them 


is negative. 
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2. Control of anticipated operational occurrences. Systems and measures should 
be identified to control occurrences. Occurrences do not belong to normal state, 
but are not yet accidents. They happen during abnormal operation, in which 

case there should be systems such as th 








3. Control of accidents. Accidents need to be controlled, or rather, managed. 


ora s, and for ere is a long list o 
safety systems identified for this level. 


4. Containment of radioactivity release during a severe accident. The difference 
which implies that all methods 
to cool down the reactor core and to shut down nuclear reaction (using safety 


systems and standard procedures, trying to provide safety functions) are found 
to be ineffective. 





5. Mitigation of consequences. Plans and measures should be available to manage 
accidents on site of NPPs. If there is no way to prevent the release of radioactivity 
(for VVER, in the containment), there should be plans for evacuation to ensure 
safety and protection of people and environment. For some NPPs in some 
countries, it is possible to divide this level into sublevels. A good example of 
this practice is the requirements of the Western European nuclear regulation 
authorities, which are used in Finland, for instance. In Finnish legislation level 
5 is divided into level 5a and 5b by the type of accident. It is possible to have a 
deeper defence with increased number of levels to ensure the safety. 
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Physical barriers system 


There are strict requirements for 
manufacturing the pellets and for prevention of the 
release of fission product from the pellets. Pellets have 
a specified structure and material composition. High 
standards during manufacturing and rigorous testing 
are provided for certification. As a result, the structure 
of fuel pellets prevents the release of fission products 
from the pellets during the NPP operation. 


. Fuel element cladding. The pellets are located inside 


control rods. Control rods are pipes made from 
zirconium-niobium alloy with two end caps. This is the 
second barrier to prevent the release of radioactivity 
from fuel pellet into the primary circuit. There are 
strict rules for the fuel rod cladding manufacturing 
and a special testing procedure provided for this 
equipment. 


. Reactor and primary circuit system. The main 


equipment of the primary circuit consists of reactor 
with reactor head, main circulation lines, reactor 
coolant pumps, and steam generators. The pressurizer, 
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Barrier 1 Barrier 2 


circuit system 





Prevents releases of radioactive substances 
a Protects against extemal effects 
Biological radiation shielding 


Figure 5.2.3. Physical barriers system. 


relief tank, and four emergency core cooling system 
tanks are connected to the primary circuit. Airtightness 
of the primary circuit should be provided during all 
operation conditions of NPPs, including accidents and 
severe accidents. Pressure relief valves can reduce 
the pressure, prevent the equipment from cracking 
and being destroyed. As mentioned before, there are 
valves between the pressurizer and relief tank which 
can release steam from the primary circuit to ensure its 


airtightness. 
a 
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4. Containment. Two types of containment are possible in VVER: one-wall 
containment and double-wall containment. One-wall containment has 
two functions: 1) prevent release of radioactivity from inside to outside; 2) 
ensure protection of the primary circuit equipment inside the containment 

from external forces. In case of double-wall containment, there are two 

walls and two containments, one inside the other. 





implement either one-wall containment or double-wall containment. For 
Modern Russian designed NPP with VVER 1200 power reactor, generation 
3+, double-wall containment is provided. After that, depending on the 
NPP site requirements, the thickness and dimensions of the containment 
are calculated to ensure protection from different external hazards. In 
case of airplane crashes, the biggest possible airplane with full fuel tanks 
carrying maximum load is taken into account. It is possible to account for 
a simultaneous crash of two airplanes in case of different requirements 
from the customer, which will increase the price of NPP and consequently, 
of electricity production. 
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Design basis conditions (DBC) and design extension conditions (DEC) 


In the deterministic safety analysis, as per the level of possible negative consequences and an occurrence 
probability, the list of Design Conditions is divided into several categories: design conditions 2, 3, 4 (DBC-2, DBC- 
3, DBC-4), design extension conditions A, B, C (DEC-A, DEC-B, DEC-C), and severe accidents (SA). Application 
of principles for old NPPs is not allowed for modern NPPs 






ow, new types of accidents 

q e Fukushima case or the biggest 
airplane crash—which are called Beyond Design Basis accidents. For new NPPs, calling them beyond design is not 
practical, as they should be considered during the design stage. That is why these types of failures are taken into 


account and combined in different conditions: 
“DBA m Design Basis condition 3 and 4 (DBC-3, DBC- 
4). n level 3 
CA DBA. and 4 different accidents are taken into account. 





Severe 
Accidents 









DBC-4: 


Potential Radiological Impact 


m Design Extension Condition (DEC-A, DEC-B 
DEC-C 





1 07 1 0-6 104 4 0-2 1 are considere 


Frequency (per reactor and per year) 


Figure 5.2.3. Design basis conditions (DBC) and design extension m Severe accidents (SA): only accidents with core melt. 


diti DEC), where DBA — design basi ident, CCF — ; es ‘ ; 
P Gace i Po saa ac comme" Different conditions also have different frequencies: 


cause failure events, EEI — extremely external impacts. 1 ti h ibl d 
Source: www.iaea.org/INPRO/7th_Dialogue_Forum/Rosatom_1.pdf. HORDA. OPFTAMOI OCCHLS A5: MC dS; Pos). AN 
severe accidents happen as rarely as possible. 
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Acceptance criteria 


Acceptance criteria for normal and 
abnormal operation, or accidents, 
during operation of NPPs must be 
determined. In Russian legislation, 
only the maximum permissible 
release of radioactivity from NPP 
into environment is identified as 
the main acceptance criterion. Other 
countries, for example Finland, 
identify different acceptance criteria 
for different conditions. For example, 
for DBC-3 the maximum effective 
dose should be 1 millisievert (mSv), 
for DBC-4—5 mSv, for DEC the 
effective dose should be below 20 
mSv. All accidents are characterized 
by the calculated maximum release of 
radioactivity into the environment. 
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Radioactivity release into containment atmosphere under LOCA accidents 
is ever determined by presence of damaged fuel cladding in the core. 
The following acceptance criteria are provided in the design: 


=m For DBC-3: the number of damaged fuel rods shall not exceed 1% 
of the total number of fuel rods in the core; 


m For DBC-4: the number of damaged fuel rods shall not exceed 
10% of the total number of fuel rods in the core. 


In accordance with Gov. Decree 717/2013 (and then YVL C.3) in case of 
accidents the expected annual irradiation dose of the critical group of 
population shall be limited to: 


= DBC-3: effective dose below 1 mSv; 
= DBC-A: effective dose below 5 mSv; 
m DEC: effective dose below 20 mSv. 


For severe accidents: not more than 100 terabecquerels (TBq) for 
atmospheric release of caesium-137 (Cs-137). No large scale protective 
measures for the population, nor any long-term restrictions on the use 
of extensive areas of land and water are required. Evacuation of people 
living in close proximity to the NPP is not required. 








For some countries, like Finland and others, conditions of the design level 5 
(plans for evacuation and mitigation of consequences) should be practically 
eliminated. During the design stage, full explanation and full analysis of 
the probability of these accidents, as well as methods of prevention should 
be provided to ensure that the evacuation of people around the NPP is 
not required. The ability to arrange practical elimination is of paramount 
importance. The worst possible situation with the maximum possible release 
of radiation should be assessed. 
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Plant Design Envelope § ++ pesign Envelope > Fundamental safety functions 


Operational States Accident Conditions 











Conditions 
practically 
DBAs eliminated 


(safety systems) 






NO 











1n every condition): 








1. Control of reactivity. It should be possible 
LEVELS OF DEFENCE INIDEPNI to stop nuclear chain reaction in any 
condition. An example of implementation 


LEVELT |: LEVEL 2 PES LEVEL sae ee method is control rods: they can be pulled 
inside the core, which shuts down the 


reaction. 


nee E o o ue 2. Removal of heat from the reactor. In any 
condition, it should be possible and there 


should be time necessary to cool down the 
reactor (residual heat!). An example of 
implementation method is emergency core 





£ In emergency conditions cooling tanks, which can supply coolant 
5 Operational plant states basis accident arising in the case of beyond to the primary circuit and cool down the 
g andere cre reactor for some time; after that, cooldown 
8 by the secondary circuit with natural 
circulation could be arranged in VVER. 
3. Prevention of the release of radioactivity. 
Barriers should be present to ensure there 
£ (  Fomowmlothoattomtorasor | is no release of radioactivity from inside the 
S reactor into the environment. An example 
S Confinement of radioactive material, shieldin i i of imp lementation method is reactor 
= F g against radiation and control of planned containment. 


radioactive releases, as well as limitation of accidental radioactive releases 





Some additional principles should be taken into 
account for ensuring safety functions, discussed 
in the next sections. 
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m Level 3a includes systems ensuring 
execution of safety functions during 
accidents of classes 1 and 2 (DBC-3 and 
DBC-4). 


E includes systems ensuring 
execution of safety functions under the 
conditions when level 3a systems cannot 
perform their functions as a result of 
common-cause failures, external effects, or 
other complex accident sequences. 


Basic safety functions 


Consider the following combination of safety systems based on 
such division. During the design stage, not only fundamental 
safety functions should be taken into account—based on 
the fundamental functions, basic safety functions should be 
identified. For example, not only should A. reactivity control 
(Table 5.3.1) be ensured, basic safety functions have to be 
provided, such as: 


m fission reaction termination; 
m reactor power limitation; 
m subcriticality assurance. 


Considering the division of safety functions into levels 3a 
and 3b, for the fundamental safety function B. heat remov- 
al from nuclear fuel, no less than five basic safety functions 
are identified, and for C. localization of activity, there are seven 
safety functions. Basic safety functions support execution of 
fundamental safety functions. If basic safety functions are 
provided, the fundamental safety functions are ensured. 
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Fundamental safety AE: B. Heat removal or a 
A. Reactivity control E fuel C. Localization of activity 


CA: Limitation of pressure 


AA: Fission reaction BA: Maintenance of inside the containment, 
termination primary coolant inventory heat removal from the 
containment 
AB: Reactor power BB: Heat removal from CB: Localization inside the 
limitation primary coolant containment 
AC: Subcriticality BC: Primary circuit CC: Localization outside 
Basic safety assurance integrity assurance the containment 


functions BD: Secondary circuit 


integrity assurance CD: Localization in SG 


CE: Localization in 
auxiliary systems 


CF: Fuel handling 


BE: Cooling of spent fuel 


CG: Radioactive waste 
handling 


Table 5.3.1. Fundamental safety functions and their corresponding basic safety functions. 





Accident management strategy includes: 
m bringing the NPP to the controlled state; 
= bringing the NPP to the safe state. 


Controlled state is the state when the fission chain reaction stops and residual heat is removed from the 
fuel. Safe state is the state when the fission chain reaction stops, residual heat is removed from the fuel and 
there is no excessive pressure within physical barriers 3 and 4. 
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Design principles of safety systems 


Safety systems are designed in accordance with the building with the safety system. 
principles ensuring their reliability and failure tolerance: 


m Redundancy principle. System redundancy— 
application of multi-train systems. An example of 





this principle is the active part of the emergency = Diversity principle. It is possible to arrange 


core cooling system. There are different active 
systems which can be used to ensure safety 
functions. For example for Modern Russian 
designed NPP with VVER 1200 power reactor, 
‘there are four independent safety trains, Another 
example of redundancy is component redundancy. 
The connection line between the emergency core 
cooling tanks and the reactor has one-way valve, 
but in case of VVER, there are two one-way valves. 


The redundancy of components and elements is 
exemplified by two valves on one line. 





Independence principle. There are two ways to 
ensure independence: physical separation and 
functional separation. Physical separation implies 
different places for the construction of different 
safety trains. For VVER, there is a special safety 


equipment to be manufactured by different 
suppliers. As a result, such equipment has different 
parameters and different probability of failure 
during various operational conditions. Choosing 
different equipment from different suppliers 
ensures diversification of safety. 


Reliability of safety systems and equipment is provided 
by the quality of their design, manufacturing, and 
maintenance; it is expressed by their safety class. 


It is possible to have different combination of safety 
systems ina VVER plant. Along list of elements and systems 
can be used to ensure safety (Figure 5.3.1). But in general, 
there are three fundamental safety functions, about 15 
basic safety functions, and based on safety functions, 
combinations of safety systems can be arranged. 
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Passive hydrogen recombiners JMT 






Spray system header JMN 


ECCS hydroaccumulators JNG-2 


Pressurizer PORV JEV 
Reactor JAA 








PHRS steam generators JMP 


Containment 
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RCPS JEB 
Core catcher JMR 









[SG SV and BRU-ALBA | Sump tank (low-concentrated 

| MSIV LBA | borated water inventory) JNK 
mergency alkali storage tank JNB90 
mergency boron injection pump JDH 


Low pressure safety injection 
pump JNG-1 


High pressure safety injection 
pump JND 


Demineralized water storage tank LAS 
Emergency feedwater pump LAS 
ECCS heatexchanger JNG-1 


Heat exchanger of the intermediate 
cooling circuit for essential consumers 
KAA 


Pump of the 





Makeup and boron control 
istem pump ABA 
Exhaust ventilation unit 
Special water treatment filters KBE 


Aftercooler of primary circuit 
blowdown KBA 
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Fuel pool cooling pump FAK s for essential c 
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boricacid solution JNK emicals storage 
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Fuel pool cooling Chemicals supply 
stem FAK pump JMN 


Figure 5.3.1. General diagram of safety systems and means. 
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5.4. A. Reactivity control 


The first fundamental safety 


function is A. cane control. 


m CPS rods: under emergency 


conditions, CPS rods are 
moved into lower position 
in response to emergency 
protection (EP) signals and 
in case of power output loss. 





system can add coolant with 
boric acid to the primary 
circuit with very high 
pressure—up to 24.5 MPa— 
and cool down the reactor. 


Design principles of diversity and 
redundancy are exemplified by the 
combination of these two systems. 
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Emergency injection system 


Supplies boric acid solution with the concentration of 40 g/kg and 
temperature of at least 20 °C at any pressure in the primary circuit 
within the range of 0.098-24.5 MPa. 


The system has a four-train structure. System performance 
functioning is: 


m 4 x 33% — functioning in ATWS (DEC); 

m 4x 50% -— functioning in PRISE (DBC-4). 
The system includes the following: 

m plunger pumps; 

m valves; 

m pipelines. 


JNK system stores boric acid solution inventory with the 
concentration of 40 g/l. The design provides for four tanks with the 
operating capacity of 50 m3. 
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Types of accidents: ATWS and PRISE 


Some types of accidents require only one system to ensure safety functions, other 
types require two or more. For all types of conditions, the efficiency level of the 
system needed to ensure the safety functions should be identified. For example, 
for the emergency injection system, there is redundancy of four trains at 33% 
during anticipated transients without scram (ATWS), which is type DEC accident. 


The NPP accidents can be also classified according to the initial event: e.g. reactivity 
accidents, thermal accidents, leakages, and others. For each, a probability of 
occurrence can be calculated. Consider ATWS, anticipated 


The second type of accidents 


accident. In the steam generator, pri ary to s on primary it leal is e (PR S) 


nominal level of pressure is th 

tubes and the coolant of the secondary circuit is outside the tubes. A leakage from 
the primary to the secondary circuit through these pipes is possible as a result of 
e.g. an earthquake. For such a case, there is a system which supplies coolant to 
the primary circuit under high pressure (up to 24.5 MPa). 
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5.5. B. Heat removal from nuclear fuel 


The next fundamental safety function is B. heat removal from nuclear fuel, 
which can be arranged in different ways. As mentioned before, there are 
different basic safety functions identified to ensure this fundamental safety 
function. 


BA: maintenance of primary coolant inventory 





Containment PHRS heat 


PHRS tanks 
exchangers 


ECCS hydraulic p F x : 
accumulators JNG-2 C <= % aes eee 
Q SS 
High pressure safety ¢ 5 
n m 


injection pump JND 
j pump ae 





Pump of intermediate 
cooling circuit system 
KAA 


Heat exchanger of KAA 
system 


Pump tanks JNK Boric 


Heat exchanger JNG-1 AETR RE 


Pump of KBB system 


Pump of the service water system for Low pressure 
essential consumers emergency injection Controller KBA Low-capacity pump KBA 
pump JNG-1 


Figure 5.5.1. Arrangement of the main systems and means ensuring 
coolant inventory maintenance and NPP primary circuit makeup. 
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The first basic safety function is BAA A a 
.5.1). The design provides the following systems and means 


for examp 


different number of safety trains. 
provided in different ways. 


PHRS tanks 


Containment PHRS 
system tanks 


Steam generator 


Pure 
condensate 
Reactor storage tank 





Figure 5.5.2. Arrangement of the main equipment 
ensuring RP cooldown to 130 °C. 
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BB: heat removal from primary coolant 


=s 


densers, 6 — steam generators, 7 — isolation valves. 








G6 UJA building 


Figure 5.5.3. System for passive heat removal through steam generators, where 
1 — emergency heat removal tanks (EHRT), 2 — steam lines, 3 — condensate 
pipelines, 4 — SG PHRS valves, 5 — containment PHRS heat exchangers-con- 
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For example 





The secondary circuit in the steam 
generator is connected to heat exchangers, 
located on top of the reactor building over 
the containment. These heat exchangers 
are placed inside tanks with cold water. 
It is possible to have natural circulation 
of coolant in the lines connecting heat 
exchangers and steam generators, which 
removes heat from the steam generator. 
Consequently, the primary circuit can be 
cooled down by using steam generators. In 
case of natural circulation in the primary 
circuit (as it is for VVER), this results in 
the cooldown of the reactor. 
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BC and BD: primary and secondary circuit integrity assurance 


Pressurizer 

PORV 
Pressurizer Pressurizer 
safety valve 


Bubbler 








m from RCPS head; 


= from head of pumps of the 
makeup and boron control 
system (KBA); 


= by the pump of the emergen- 


ERA cy boron injection system. 





Boric acid Low-capacity : ; : 
solution 40g/l Pump JDH pump KBA The following hardware is provided 
SAS in the design for pressure relief: 
Figure 5.5.4. BC and BD: Primary and secondary circuit integrity assurance. E a valves of pressurizer 
and SG; 


Next basic safety functions are BC and BD: primary and secondary circuit 

integrity assurance. For these purposes, safety systems are identified, such m BRU-A; 

as the reactor control protection system (RCPS) head venting, and so on. : . 

There are different ways of ensuring the m safety valves in the residual 
heat removal system. 
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BE: spent fuel cooling 





Pressurizer relief devices Pump FAK 


The primary circuit overpressure 
protection system includes three 
pilot-operated relief valves, each Pump KAA 
consisting of the following: 


Heat exchanger FAK Pump KBB 


Pump FAL 


Heat exchanger KAA 


= main valve; 





= relief valves with pipelines; Pump of the service water 
system for essential 
consumers 


= cutoff valve; 





| spring setting valve; Heat exchanger JNG1 Sump tank JNK 
= additional control line with Spent fuel pool FAK 
three successive valves. 
PORV1 control — actuation pressure: Figure 5.5.5. BE: Spent fuel cooling. 
18.11 MPa. 


The following systems are provided in the design to remove heat from 
PORV2, PORV3 operating - actua- ‘spent fuel assemblies stored in the spent fuel pool (BE: spent fuel cooling, 
tion pressure: 18.6 MPa. igure 5.5.5): 


E = the independent fuel pool cooling system (FAK); 














FAK system pumps, FAL system pumps, KBB system pumps, JMN system 
pumps are used for maintaining water level in the spent fuel pool. 
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5.6. C. Localization of activity 


The third fundamental safety function is C. Localization of activity. Safety systems should be 
E for SA the a of the containment 


OMN); 








Py 
On, 
7 \ 
Pump JMN 
Heat exchanger KAA 
Pump of the service water 


system for essential 
asa a AE 
| Gisss 
Heat exchanger JNG1 


PHRS tanks 





Containment PHRS 


heat exchangers 
| Spray nozzles 
Figure 5.6.1. CA: Limitation of pressure inside the containment, 
heat removal from the containment. 
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The first one is the system which is used for all VVER 
plants starting from VVER-1000—the spray system 
(JMN). Through a sprinkler system on the roof of the 
containment 











Hydrogen recombiners 


Passive hydrogen recombiners are located on top of the 
containment and in some areas inside the containment. 
Inside the recombiners, there is a combination of 
different materials which, if they have direct contact 
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with hydrogen, burn it automatically. Heat and water 
are produced as a result. 


What happened in Fukushima? A lot of hydrogen was 
produced during the accident. Operators had to find a 
way to remove it from the building. They could not finda 
safe way to do it, which resulted in hydrogen explosion. 
This situation is not possible for VVER, because in VVER, 
hydrogen recombiners provide a way to burn hydrogen. 
Their amount is calculated based on the worst-case 
scenario with maximum production of hydrogen during 
the accident. 


some e 7 comes ei rog am ay ae primary circuit 


coolant. The second source is the reaction between 
zirconium and steam in the reactor in conditions of 
high temperature. As a result of this reaction, a lot of 
hydrogen is produced. Another source is the reaction 
between stainless steel, which is the structure material 
of the reactor, and steam. It happens at the highest 
temperatures and also produces hydrogen. Consequently, 
a lot of hydrogen is produced inside the reactor, and 
without hydrogen recombiners it is possible to have 
hydrogen explosion inside the containment. 
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Figure 5.6.2. Accident localization system. 





> 5. VVER safety systems 


Accident localization system 


There are different types of penetrations inside the 
containment— places for tubes, pipes, connection lines, 
gates for personnel, etc. The arrangement of these 
penetrations should be regulated. If the pressure is high, 
isolating devices are used to control the leakages through 
these penetrations and to isolate them in automatic mode. 


leak-proof steel liner; 





reinforced concrete enclosing structures; 
manholes, locks; 

penetrations; 

isolating devices. 
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Reactor building Safety building 





Steam cell 


Alignment of safety trains in the NPP 
with VVER 1200 layout 


Figure 5.6.3 illustrates four independent safety trains which can 
be identified for Modern Russian designed NPP with VVER 1200 
power reactor. They are all oriented in one direction. From the 
point of view of the airplane crash hazard, it might be dangerous. 
But calculations and assessments of the risk show that, with this 
alignment, all safety function are provided and safety is ensured. 


To summarize, in this part of the course the fundamentals of 
ensuring safety for NPPs are identified, basic safety functions 
providing the fundamental safety are explored, and safety systems 
needed to implement these functions, constructed according 
to the design principles, are listed. This approach presents a 
comprehensive view of safety for NPPs: from top (fundamentals) 
to bottom (implementation). 
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Standby diesel generator 
station building 


Figure 5.6.3. NPP with 
VVER 1200 Layout. 


